UK senior decision makers believe younger workers are the biggest risk to cyber security, but are doing little to support them and reduce that risk, a report reveals

More than a third of senior executives believe that younger employees are the “main culprits” for data security breaches in the workplace, a study shows.

However, the same decision makers are doing very little to allay their own fears, with more than a third of 18 to 24 year olds able to access any files on the company network, and less than half (43%) have access only to the files that are relevant to their work.

These are the main findings of an independent study into attitudes to security of the next generation workforce, commissioned by security firm Centrify.

The study, conducted by Censuswide, sought the views of 1,000 next generation workers (18-24 year olds) and 500 decision makers in UK organisations.

The study examines how security, privacy and online behaviour at work impacts the lives of younger employees and the companies that they work for.

Password sharing tops the list of what keeps decision makers awake at night (56%), but 29% of younger workers reveal that they are in the driving seat when it comes to password changes, with their employers leaving it to them to decide when they need a password change. Furthermore 15% admit to sharing passwords with colleagues.

Asked how younger employees could negatively impact the workplace, 47% of decision makers worry about them sharing social media posts and the impact these could have on brand and reputation.

These concerns appear well founded with one in five workers saying they are not bothered about how their social media activity might affect their employers and 18% admitting that their posts could compromise employers’ security and privacy policies.

However, less than half say their company has social media guidelines in place, highlighting the need for strong social media access controls that follow the principles of a zero-trust approach to security, which assumes that users inside a network are no more trustworthy than those outside the network.

The “always on” approach to technology of younger workers with no experience of an off-line world, further reinforces the need for robust security policies, the study report said. When it comes to this generation of workers, 40% of decision makers are concerned about their misuse of devices, while 35% say they are too trusting of technology and 30% worry they share company data too easily.

While 79% of decision makers report having a strong security policy in place and 74% of them think that their employees abide by it, over a third (37%) feel that young workers are too relaxed about security policies.

Awareness of the dark web

Decision makers also say the next generation of workers have a good awareness of the dark web (87%), underground hacking (79%) and crimeware. And although around half (48%) say they have strict guidelines in place for employees accessing these new “dark arts”, 39% feel they could be better.

“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as perhaps older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” said Barry Scott, chief technology officer for Europe at Centrify.

“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies.

“If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself,” he said.

According to Scott, the study shows it is time to discard the old castle and moat model of “trust but verify” because it does not work in today’s mobile-first, cloud-enabled world where employees can be anywhere and work on multiple devices.

“Traditional network perimeters are dissolving and security professionals must adopt a zero-trust security approach that assumes bad actors are already on the network,” he said. “With zero-trust, we verify every user, validate their device and limit their access to only the resources they need, and use machine learning to ensure the resulting improved security has no impact on efficiency.

“Let’s be clear that zero-trust is not saying we’ve lost trust in our employees, it actually provides an enabler to allow them to work exactly the same way wherever they are, and provides the company with a stronger security posture.”

Extra mentoring needed

The study report concludes that while managers’ assumptions that next-generation workers are the root of cyber security problems in the workplace may be overstated, there are some areas, such as social media use and password management, where younger workers do need extra mentoring.

Decision makers can do more to address this problem, the report said, by putting technical controls in place, refining security policies and communicating them effectively to employees.

However, according to the report, leadership and the need for decision makers to set a good example are equally important. “If managers can demonstrate a commitment to security through their own policies and actions, then the next-generation workforce will surely follow,” the report said.

End-users can be the weakest link in your infosec defense. But according to KnowBe4 founder and CEO Stu Sjouwerman, there is something you can do about that – if you implement the right behavioral diagnostics and focus your training needs on individual users’ actual weaknesses.

What if a server with order processing or patient health records was maliciously encrypted and held hostage for ransom? What if an organization’s domain controller was rendered unusable? Or what if an application server slowed to a crawl because attackers had managed to take advantage of an unpatched exploit to mine cryptocurrency?

If a laptop gets infected with ransomware, the user’s productivity is affected. But if a server is attacked and unavailable, the whole organization may be impacted. You don’t have to look further than last year’s WannaCry and NotPetya ransomware attacks to see examples of this.

Merck, the global pharmaceuticals company, Maersk, the global shipping and transportation company, and FedEx were all hugely financially impacted by the NotPetya attacks.

But it wasn’t just multinational corporations who fell victim. Smaller companies, such as Nuance Communications, were also attacked. The company recently disclosed its losses in a filing with the Securities and Exchange Commission (SEC).

Nuance was unable to get its software back online completely until early August, inhibiting its ability to offer SaaS transcription services for healthcare companies. The company also mentioned that a subsequent data breach in November had occurred when “an unauthorized third party illegally accessed reports hosted on a Nuance transcription platform.”

The company expects to incur additional costs this year when it enhances and upgrades its cybersecurity software, while still providing additional resources to its health companies.

The 2018 Verizon Data Breach Investigations Report notes how ransomware has increased in prevalence because it has been, and continues to be, an effective tool for cybercriminals.

To find out how to be part of the early access program for the Server Protection products by Sophos – Contact us.

Sophos blocked 34 out of 35 exploits tested, while the next highest score was 22 out of 35.

Exploits are the techniques that attackers use to gain access and control of computers. Common bugs and vulnerabilities found in popular, legitimate software can be leveraged as exploits to steal data, hold files for ransom, perform reconnaissance, or simply to deploy malware.

Attackers rely on exploits the same way video game characters rely on their weapons toolkits: without them, it would be like going into battle unarmed. And despite being extremely popular for attackers, many defenses remain vulnerable to exploits, since the software often being exploited – Microsoft Office, Adobe Reader, and the like – is generally considered “safe” by security products.

This would seem to make exploit testing a no-brainer for vendor comparison services. The problem, however, is that due to the constantly evolving nature of software vulnerabilities, exploit-based attacks are some of the most difficult scenarios to test.

Fortunately, MRG Effitas managed to develop reliable and repeatable exploit testing scenarios and has recently released its “Exploit and Post-Exploit Protection Test” report. Commissioned by Sophos, this report compares the exploit-stopping abilities of nine different endpoint products.

As you can see in the chart below, Sophos far outperformed other vendors at stopping exploits: Level 1 means that the product blocked the exploit, and Level 2 means that the exploit was missed but the attack was stopped via other methods.

Sophos blocked 34 out of 35 exploits tested, while the next highest score was 22 out of 35. In fact, most vendors weren’t even able to stop half of the exploits that Sophos was able to stop.

This test was a follow-up to MRG’s previous report on malware protection. In that commissioned report, Sophos ranked #1 for both malware protection and potentially unwanted application (PUA) protection.

To summarize the test results from the two MRG Effitas reports:

Sophos ranks #1 in exploit prevention

Sophos ranks #1 in malware protection

Sophos ranks #1 in potentially unwanted application prevention

Contact us for more information on the Sophos Endpoint, or you can watch one of the on-demand webinars on Sophos discussing the deep learning in the Endpoint, CryptoJacking and more –

Sophos Cybersecurity Advisor James Lyne appeared on NBC recently, where he talked about the state of cybersecurity and what we can all do to protect ourselves and our information. It’s an important, realistic look at the state of our data, and what we can do to stay ahead of the bad guys.

Take a moment to scan the results of this survey of 2,700 industry pros to learn more about how to protect your business. – Survey Results

Learn more about protecting your business from Ransomware and other never-before-seen threats before they disrupt your business and impact your bottom line – Check out Sophos’ Whitepaper on Exploits Interrupted.

If you have questions on any of the Sophos Products or how to ensure your employees do not inadvertantly open an email with malicious content – contact us at sales@symtrex.com, by phone 866-431-8972, or use the chat window.